class TestURLTool(unittest.TestCase):
def setUp(self):
self.site = DummySite(id='foo')
self.site._setObject('foo', DummyFolder(id='foo'))
self.site.foo._setObject('doc1', DummyContent(id='doc1'))
mock_registry = DummyRegistry(id='portal_registry')
self.site.portal_registry = mock_registry
sm = getSiteManager()
sm.registerUtility(component=mock_registry, provided=IRegistry)
def _makeOne(self, *args, **kw):
from Products.CMFPlone.URLTool import URLTool
url_tool = URLTool(*args, **kw)
return url_tool.__of__(self.site)
def test_isURLInPortal(self):
# First test what the absolute url of the site is, otherwise these
# tests look really weird. Apparently our domain is www.foobar.com.
self.assertEqual(self.site.absolute_url(),
'http://www.foobar.com/bar/foo')
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo/folder'))
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo'))
self.assertFalse(iURLiP('http://www.foobar.com/bar2/foo'))
self.assertTrue(iURLiP('https://www.foobar.com/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com:8080/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com/bar'))
self.assertTrue(iURLiP('//www.foobar.com/bar/foo'))
self.assertFalse(iURLiP('/images'))
self.assertTrue(iURLiP('/bar/foo/foo'))
def test_isURLInPortalRelative(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
# non-root relative urls will need a current context to be passed in
self.assertTrue(iURLiP('images/img1.jpg'))
self.assertTrue(iURLiP('./images/img1.jpg'))
# /bar/foo/something
self.assertTrue(iURLiP('../something', self.site.foo.doc1))
# /bar/afolder
self.assertFalse(iURLiP('../../afolder', self.site.foo.doc1))
# /afolder
self.assertFalse(iURLiP('../../../afolder', self.site.foo.doc1))
# /../afolder? How do we have more ../'s than there are parts in
# the URL?
self.assertFalse(iURLiP('../../../../afolder', self.site.foo.doc1))
# /bar/foo/afolder
self.assertTrue(iURLiP('../../foo/afolder', self.site.foo.doc1))
def test_isURLInPortalExternal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://external1'))
self.assertTrue(iURLiP('http://external1/'))
self.assertTrue(iURLiP('http://external1/something'))
self.assertTrue(iURLiP('http://external2'))
self.assertTrue(iURLiP('http://external2/'))
self.assertTrue(iURLiP('http://external2/something'))
self.assertTrue(iURLiP('http://external3/site'))
self.assertTrue(iURLiP('http://external3/site/'))
self.assertTrue(iURLiP('http://external3/site/something'))
self.assertTrue(iURLiP('http://external4/site'))
self.assertTrue(iURLiP('http://external4/site/'))
self.assertTrue(iURLiP('http://external4/site/something'))
self.assertFalse(iURLiP('http://external3/other'))
self.assertFalse(iURLiP('http://external4/other'))
self.assertFalse(iURLiP('http://external5'))
self.assertFalse(iURLiP('http://external11'))
def test_script_tag_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('<script>alert("hi");</script>'))
self.assertFalse(iURLiP('<sCript>alert("hi");</script>'))
self.assertFalse(
iURLiP('%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
self.assertFalse(
iURLiP('%3CsCript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
def test_inline_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('javascript%3Aalert(3)'))
self.assertFalse(iURLiP('jaVascript%3Aalert(3)'))
self.assertFalse(iURLiP('javascript:alert(3)'))
self.assertFalse(iURLiP('jaVascript:alert(3)'))
def test_double_back_slash(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('\\\\www.example.com'))
def test_escape(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP(r'\/\/www.example.com'))
self.assertFalse(iURLiP(r'\%2F\%2Fwww.example.com'))
self.assertFalse(iURLiP(r'\%2f\%2fwww.example.com'))
self.assertFalse(iURLiP('%2F%2Fwww.example.com'))
self.assertFalse(iURLiP('%2f%2fwww.example.com'))
def test_regression_absolute_url_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP(url_tool()))
self.assertTrue(iURLiP(url_tool() + '/shrubbery?knights=ni#ekki-ekki'))
def test_mailto_simple_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('mailto:[email protected]'))
def test_mailto_complex_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(
iURLiP(
'mailto:192.168.163.154:8080/Plone''
'"><html><svg onload=alert(document'
'.domain)></html>'))
def test_data_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(
iURLiP(
'data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K'
))
def test_double_slash(self):
# I wondered if this might be a problem after reading
# https://bugs.python.org/issue23505
# Apparently not, but let's test it.
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('//www.google.com'))
self.assertFalse(iURLiP('////www.google.com'))
class TestURLTool(unittest.TestCase):
def setUp(self):
import Products.isurlinportal
# Patch get_external_sites to return a fixed list of sites.
self._original_get_external_sites = Products.isurlinportal.get_external_sites
Products.isurlinportal.get_external_sites = dummy_get_external_sites
# Create dummy site and content.
self.site = DummySite(id="foo")
self.site._setObject("foo", DummyFolder(id="foo"))
self.site.foo._setObject("doc1", DummyContent(id="doc1"))
def tearDown(self):
import Products.isurlinportal
# Restore original get_external_sites.
Products.isurlinportal.get_external_sites = self._original_get_external_sites
def _makeOne(self, *args, **kw):
from Products.CMFPlone.URLTool import URLTool
url_tool = URLTool(*args, **kw)
return url_tool.__of__(self.site)
def test_isURLInPortal(self):
# First test what the absolute url of the site is, otherwise these
# tests look really weird. Apparently our domain is www.foobar.com.
self.assertEqual(self.site.absolute_url(), "http://www.foobar.com/bar/foo")
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP("http://www.foobar.com/bar/foo/folder"))
self.assertTrue(iURLiP("http://www.foobar.com/bar/foo"))
self.assertFalse(iURLiP("http://www.foobar.com/bar2/foo"))
self.assertTrue(iURLiP("https://www.foobar.com/bar/foo/folder"))
self.assertFalse(iURLiP("http://www.foobar.com:8080/bar/foo/folder"))
self.assertFalse(iURLiP("http://www.foobar.com/bar"))
self.assertFalse(iURLiP("http://other.foobar.com/bar/foo"))
self.assertTrue(iURLiP("//www.foobar.com/bar/foo"))
self.assertFalse(iURLiP("/images"))
self.assertTrue(iURLiP("/bar/foo/foo"))
def test_isURLInPortalRelative(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
# non-root relative urls will need a current context to be passed in
self.assertTrue(iURLiP("images/img1.jpg"))
self.assertTrue(iURLiP("./images/img1.jpg"))
# /bar/foo/something
self.assertTrue(iURLiP("../something", self.site.foo.doc1))
# /bar/afolder
self.assertFalse(iURLiP("../../afolder", self.site.foo.doc1))
# /afolder
self.assertFalse(iURLiP("../../../afolder", self.site.foo.doc1))
# /../afolder? How do we have more ../'s than there are parts in
# the URL?
self.assertFalse(iURLiP("../../../../afolder", self.site.foo.doc1))
# /bar/foo/afolder
self.assertTrue(iURLiP("../../foo/afolder", self.site.foo.doc1))
def test_isURLInPortalExternal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP("http://external1"))
self.assertTrue(iURLiP("http://external1/"))
self.assertTrue(iURLiP("http://external1/something"))
self.assertTrue(iURLiP("http://external2"))
self.assertTrue(iURLiP("http://external2/"))
self.assertTrue(iURLiP("http://external2/something"))
self.assertTrue(iURLiP("http://external3/site"))
self.assertTrue(iURLiP("http://external3/site/"))
self.assertTrue(iURLiP("http://external3/site/something"))
self.assertTrue(iURLiP("http://external4/site"))
self.assertTrue(iURLiP("http://external4/site/"))
self.assertTrue(iURLiP("http://external4/site/something"))
self.assertFalse(iURLiP("http://external3/other"))
self.assertFalse(iURLiP("http://external4/other"))
self.assertFalse(iURLiP("http://external5"))
self.assertFalse(iURLiP("http://external11"))
def test_script_tag_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('<script>alert("hi");</script>'))
self.assertFalse(iURLiP('<sCript>alert("hi");</script>'))
self.assertFalse(iURLiP("%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E"))
self.assertFalse(iURLiP("%3CsCript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E"))
def test_inline_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP("javascript%3Aalert(3)"))
self.assertFalse(iURLiP("jaVascript%3Aalert(3)"))
self.assertFalse(iURLiP("javascript:alert(3)"))
self.assertFalse(iURLiP("jaVascript:alert(3)"))
def test_double_back_slash(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP("\\\\www.example.com"))
def test_escape(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP(r"\/\/www.example.com"))
self.assertFalse(iURLiP(r"\%2F\%2Fwww.example.com"))
self.assertFalse(iURLiP(r"\%2f\%2fwww.example.com"))
self.assertFalse(iURLiP("%2F%2Fwww.example.com"))
self.assertFalse(iURLiP("%2f%2fwww.example.com"))
def test_regression_absolute_url_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP(url_tool()))
self.assertTrue(iURLiP(url_tool() + "/shrubbery?knights=ni#ekki-ekki"))
def test_mailto_simple_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP("mailto:[email protected]"))
def test_mailto_complex_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(
iURLiP(
"mailto:192.168.163.154:8080/Plone'"
""><html><svg onload=alert(document"
".domain)></html>"
)
)
def test_data_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(
iURLiP("data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K")
)
def test_double_slash(self):
# I wondered if this might be a problem after reading
# https://bugs.python.org/issue23505
# Apparently not, but let's test it.
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP("//www.google.com"))
self.assertFalse(iURLiP("////www.google.com"))
def test_empty(self):
# Redirecting to nothing would probably mean we end up on the same page.
# So an empty url should be fine.
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP(""))
def test_newlines(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP("foo"))
self.assertFalse(iURLiP("f\noo"))
self.assertFalse(iURLiP("f\roo"))
self.assertFalse(iURLiP("\nfoo"))
self.assertFalse(iURLiP("\rfoo"))
def test_whitespace(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP("foo"))
self.assertTrue(iURLiP("f oo"))
# '\x20' == ' '
self.assertTrue(iURLiP("f\x20oo"))
self.assertFalse(iURLiP("f\too"))
self.assertFalse(iURLiP("\tfoo"))
self.assertFalse(iURLiP("foo\t"))
self.assertFalse(iURLiP(" foo"))
self.assertFalse(iURLiP("foo "))
class TestURLTool(unittest.TestCase):
def setUp(self):
self.site = DummySite(id='foo')
self.site._setObject('foo', DummyFolder(id='foo'))
self.site.foo._setObject('doc1', DummyContent(id='doc1'))
mock_registry = DummyRegistry(id='portal_registry')
self.site.portal_registry = mock_registry
sm = getSiteManager()
sm.registerUtility(component=mock_registry, provided=IRegistry)
def _makeOne(self, *args, **kw):
from Products.CMFPlone.URLTool import URLTool
url_tool = URLTool(*args, **kw)
return url_tool.__of__(self.site)
def test_isURLInPortal(self):
# First test what the absolute url of the site is, otherwise these
# tests look really weird. Apparently our domain is www.foobar.com.
self.assertEqual(self.site.absolute_url(),
'http://www.foobar.com/bar/foo')
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo/folder'))
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo'))
self.assertFalse(iURLiP('http://www.foobar.com/bar2/foo'))
self.assertTrue(iURLiP('https://www.foobar.com/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com:8080/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com/bar'))
self.assertFalse(iURLiP('/images'))
self.assertTrue(iURLiP('/bar/foo/foo'))
def test_isURLInPortalRelative(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
# non-root relative urls will need a current context to be passed in
self.assertTrue(iURLiP('images/img1.jpg'))
self.assertTrue(iURLiP('./images/img1.jpg'))
# /bar/foo/something
self.assertTrue(iURLiP('../something', self.site.foo.doc1))
# /bar/afolder
self.assertFalse(iURLiP('../../afolder', self.site.foo.doc1))
# /afolder
self.assertFalse(iURLiP('../../../afolder', self.site.foo.doc1))
# /../afolder? How do we have more ../'s than there are parts in
# the URL?
self.assertFalse(iURLiP('../../../../afolder', self.site.foo.doc1))
# /bar/foo/afolder
self.assertTrue(iURLiP('../../foo/afolder', self.site.foo.doc1))
def test_isURLInPortalExternal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://external1'))
self.assertTrue(iURLiP('http://external1/'))
self.assertTrue(iURLiP('http://external1/something'))
self.assertTrue(iURLiP('http://external2'))
self.assertTrue(iURLiP('http://external2/'))
self.assertTrue(iURLiP('http://external2/something'))
self.assertTrue(iURLiP('http://external3/site'))
self.assertTrue(iURLiP('http://external3/site/'))
self.assertTrue(iURLiP('http://external3/site/something'))
self.assertTrue(iURLiP('http://external4/site'))
self.assertTrue(iURLiP('http://external4/site/'))
self.assertTrue(iURLiP('http://external4/site/something'))
self.assertFalse(iURLiP('http://external3/other'))
self.assertFalse(iURLiP('http://external4/other'))
self.assertFalse(iURLiP('http://external5'))
self.assertFalse(iURLiP('http://external11'))
def test_script_tag_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('<script>alert("hi");</script>'))
self.assertFalse(iURLiP('<sCript>alert("hi");</script>'))
self.assertFalse(
iURLiP('%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
self.assertFalse(
iURLiP('%3CsCript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
def test_inline_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('javascript%3Aalert(3)'))
self.assertFalse(iURLiP('jaVascript%3Aalert(3)'))
self.assertFalse(iURLiP('javascript:alert(3)'))
self.assertFalse(iURLiP('jaVascript:alert(3)'))
def test_double_back_slash(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('\\\\www.example.com'))
class TestURLTool(unittest.TestCase):
def setUp(self):
self.site = DummySite(id='foo')
self.site._setObject('foo', DummyFolder(id='foo'))
self.site.foo._setObject('doc1', DummyContent(id='doc1'))
mock_registry = DummyRegistry(id='portal_registry')
self.site.portal_registry = mock_registry
sm = getSiteManager()
sm.registerUtility(component=mock_registry, provided=IRegistry)
def _makeOne(self, *args, **kw):
from Products.CMFPlone.URLTool import URLTool
url_tool = URLTool(*args, **kw)
return url_tool.__of__(self.site)
def test_isURLInPortal(self):
# First test what the absolute url of the site is, otherwise these
# tests look really weird. Apparently our domain is www.foobar.com.
self.assertEqual(self.site.absolute_url(),
'http://www.foobar.com/bar/foo')
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo/folder'))
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo'))
self.assertFalse(iURLiP('http://www.foobar.com/bar2/foo'))
self.assertTrue(iURLiP('https://www.foobar.com/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com:8080/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com/bar'))
self.assertFalse(iURLiP('/images'))
self.assertTrue(iURLiP('/bar/foo/foo'))
def test_isURLInPortalRelative(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
# non-root relative urls will need a current context to be passed in
self.assertTrue(iURLiP('images/img1.jpg'))
self.assertTrue(iURLiP('./images/img1.jpg'))
# /bar/foo/something
self.assertTrue(iURLiP('../something', self.site.foo.doc1))
# /bar/afolder
self.assertFalse(iURLiP('../../afolder', self.site.foo.doc1))
# /afolder
self.assertFalse(iURLiP('../../../afolder', self.site.foo.doc1))
# /../afolder? How do we have more ../'s than there are parts in
# the URL?
self.assertFalse(iURLiP('../../../../afolder', self.site.foo.doc1))
# /bar/foo/afolder
self.assertTrue(iURLiP('../../foo/afolder', self.site.foo.doc1))
def test_isURLInPortalExternal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://external1'))
self.assertTrue(iURLiP('http://external1/'))
self.assertTrue(iURLiP('http://external1/something'))
self.assertTrue(iURLiP('http://external2'))
self.assertTrue(iURLiP('http://external2/'))
self.assertTrue(iURLiP('http://external2/something'))
self.assertTrue(iURLiP('http://external3/site'))
self.assertTrue(iURLiP('http://external3/site/'))
self.assertTrue(iURLiP('http://external3/site/something'))
self.assertTrue(iURLiP('http://external4/site'))
self.assertTrue(iURLiP('http://external4/site/'))
self.assertTrue(iURLiP('http://external4/site/something'))
self.assertFalse(iURLiP('http://external3/other'))
self.assertFalse(iURLiP('http://external4/other'))
self.assertFalse(iURLiP('http://external5'))
self.assertFalse(iURLiP('http://external11'))
def test_script_tag_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('<script>alert("hi");</script>'))
self.assertFalse(iURLiP('<sCript>alert("hi");</script>'))
self.assertFalse(
iURLiP('%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
self.assertFalse(
iURLiP('%3CsCript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
def test_inline_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('javascript%3Aalert(3)'))
self.assertFalse(iURLiP('jaVascript%3Aalert(3)'))
self.assertFalse(iURLiP('javascript:alert(3)'))
self.assertFalse(iURLiP('jaVascript:alert(3)'))
def test_double_back_slash(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('\\\\www.example.com'))
class TestURLTool(unittest.TestCase):
def setUp(self):
self.site = DummySite(id='foo')
self.site._setObject('foo', DummyFolder(id='foo'))
self.site.foo._setObject('doc1', DummyContent(id='doc1'))
mock_registry = DummyRegistry(id='portal_registry')
self.site.portal_registry = mock_registry
sm = getSiteManager()
sm.registerUtility(component=mock_registry, provided=IRegistry)
def _makeOne(self, *args, **kw):
from Products.CMFPlone.URLTool import URLTool
url_tool = URLTool(*args, **kw)
return url_tool.__of__(self.site)
def test_isURLInPortal(self):
# First test what the absolute url of the site is, otherwise these
# tests look really weird. Apparently our domain is www.foobar.com.
self.assertEqual(self.site.absolute_url(),
'http://www.foobar.com/bar/foo')
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo/folder'))
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo'))
self.assertFalse(iURLiP('http://www.foobar.com/bar2/foo'))
self.assertTrue(iURLiP('https://www.foobar.com/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com:8080/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com/bar'))
self.assertFalse(iURLiP('/images'))
self.assertTrue(iURLiP('/bar/foo/foo'))
def test_isURLInPortalRelative(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
# non-root relative urls will need a current context to be passed in
self.assertTrue(iURLiP('images/img1.jpg'))
self.assertTrue(iURLiP('./images/img1.jpg'))
# /bar/foo/something
self.assertTrue(iURLiP('../something', self.site.foo.doc1))
# /bar/afolder
self.assertFalse(iURLiP('../../afolder', self.site.foo.doc1))
# /afolder
self.assertFalse(iURLiP('../../../afolder', self.site.foo.doc1))
# /../afolder? How do we have more ../'s than there are parts in
# the URL?
self.assertFalse(iURLiP('../../../../afolder', self.site.foo.doc1))
# /bar/foo/afolder
self.assertTrue(iURLiP('../../foo/afolder', self.site.foo.doc1))
def test_isURLInPortalExternal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://external1'))
self.assertTrue(iURLiP('http://external1/'))
self.assertTrue(iURLiP('http://external1/something'))
self.assertTrue(iURLiP('http://external2'))
self.assertTrue(iURLiP('http://external2/'))
self.assertTrue(iURLiP('http://external2/something'))
self.assertTrue(iURLiP('http://external3/site'))
self.assertTrue(iURLiP('http://external3/site/'))
self.assertTrue(iURLiP('http://external3/site/something'))
self.assertTrue(iURLiP('http://external4/site'))
self.assertTrue(iURLiP('http://external4/site/'))
self.assertTrue(iURLiP('http://external4/site/something'))
self.assertFalse(iURLiP('http://external3/other'))
self.assertFalse(iURLiP('http://external4/other'))
self.assertFalse(iURLiP('http://external5'))
self.assertFalse(iURLiP('http://external11'))
def test_script_tag_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('<script>alert("hi");</script>'))
self.assertFalse(iURLiP('<sCript>alert("hi");</script>'))
self.assertFalse(
iURLiP('%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
self.assertFalse(
iURLiP('%3CsCript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
def test_inline_url_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('javascript%3Aalert(3)'))
self.assertFalse(iURLiP('jaVascript%3Aalert(3)'))
self.assertFalse(iURLiP('javascript:alert(3)'))
self.assertFalse(iURLiP('jaVascript:alert(3)'))
def test_double_back_slash(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP('\\\\www.example.com'))
def test_regression_absolute_url_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP(url_tool()))
self.assertTrue(iURLiP(url_tool() + '/shrubbery?knights=ni#ekki-ekki'))
def test_mailto_simple_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP(
'mailto:[email protected]')
)
def test_mailto_complex_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP(
'mailto:192.168.163.154:8080/Plone''
'"><html><svg onload=alert(document'
'.domain)></html>')
)
def test_data_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP(
'data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K')
)
def test_double_slash(self):
# I wondered if this might be a problem after reading
# https://bugs.python.org/issue23505
# Apparently not, but let's test it.
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP(
'//www.google.com'))
self.assertFalse(iURLiP(
'////www.google.com'))
